Shining a Light on Shadow IT

What is Shadow Information Technology (IT)?

Shadow IT is when employees use an information technology device or an application to accomplish business objectives outside the realm of the company’s IT department. Individuals within business departments may use technology to solve issues or implement innovation in a do-it-yourself mode. Shadow IT is often seen as rogue or stealth IT in that the solution may not have approval from the organization. OneLogin states that 71% of employees are using applications that are not sanctioned by IT.

Why Does Shadow IT Exist?

There may be many reasons that shadow IT exists in a company. Companies with an entrepreneurial culture may actually encourage users to take action on their own behalf. Perhaps processes to get an IT request approved and completed is lengthy or unclear. To obtain approval, IT projects may have high business case expectations. Or, a business user may feel the problem would never get the attention of the IT department due to lengthy backlogs. Legacy applications may be large and costly for a company to address. The solution preferred by the user department may not be allowed due to established IT standards. Moving applications and data to the cloud with quick provisioning and an absence of infrastructure requirements can make it even easier to circumvent IT.

What is Wrong with Shadow IT?

Shadow IT solutions can provide innovative solutions with immediate business benefits. Although shadow IT may be done by resourceful people with good intentions, it can present issues such as:

Security vulnerabilities

Reliability issues

Performance issues

Lack of control

Quality and inconsistency issues

Additional hidden costs

High risk

Compliance issues

Lack of documentation

Support issues

For example, we often see the case when an employee develops a unique department-specific application, it becomes mission-critical, they leave the company, and no one is able to support the application. Companies must balance innovation against risk.

Developing and supporting shadow IT can become time-consuming for individuals that should be focused on other areas of the business. It can also mask a root problem of legacy applications that may need to be modernized. True IT costs for a company may also be inaccurately reflected. Gartner Research states that 35% of total IT expenditures in 2016 are related to shadow IT.

Security of shadow IT is a growing concern for companies. One of Gartner Research’s top ten security predictions (June 2016) was “By 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources.” Unsanctioned devices and applications can provide a backdoor for hackers, leaving a company’s infrastructure and data vulnerable to security breaches. Security breaches and leaking sensitive data can have a tremendous impact on a company’s finances as well as their reputation, competitive advantage, and viability.

How Can Companies Leverage Shadow IT?

In the past, a CIO would try to shut down shadow IT. Today, that is virtually impossible. With tools readily available and people that may be as adept and innovative with technology as application programmers, just saying no to shadow IT is not realistic nor advisable. IT cannot ignore shadow IT and hope that it goes away. It won’t go away, and will probably increase in the future.

Following is a checklist of five areas to help a company manage and obtain more value from shadow IT.

1. Fix the Root Cause.

Find out why shadow IT crept into the organization; what caused it.

Make sure IT can address specialized departmental needs without lengthy processes.

Have an agile approval and governance process, with departmental requests having a voice.

Ensure IT is not perceived as a bottleneck. Respond to departmental requests in a timely manner with a partnership-style approach.

2. Embrace it.

Update policies and standards to incorporate shadow IT.

Provide training for users in the tools they should use and standards they should follow.

Change the skillset of IT workers so they can assist with end-user tools.

It’s not a matter of if a breach will happen, but rather when and how. Be ready and have clear plans in place for actions and communication when it occurs, whether in an enterprise system or shadow IT system.

Ensure users and IT are sufficiently cross-trained on shadow IT systems.

Shore up the budgeting loop-hole. Shadow IT may develop because it is easier to get money in a departmental budget than the IT budget. Highlight shadow IT costs and include these budget requests as part of the IT spend.

5. Change the culture.

The IT mindset must change from “I know best how to do technology” to embrace and value the innovators throughout the business.

Change the mindset of IT against the business. Have a strong business and IT relationship to coordinate and work together.

Educate users on what they should and should not do, the risks, and their responsibility for security. Some employees may not know there is anything wrong with what they are doing.

Embed IT resources in the organization to better know the business, understand business processes, and gain business perspectives. Proactively identify departmental needs. Focus first on the business needs rather than technology.

Tell us what you think of our checklist. Have you found other creative ways to team with shadow IT? We want to hear from you!

About Anita Cassidy

Anita has over 30 years experience in executive management of IT. She is experienced in strategic planning, e-business strategy, process improvement, IT assessments, software selection, temporary IT leadership, and CIO mentoring.

ITDirections was engaged by one of the largest uniform rental and linen supply companies in North America with approximately $650M in annual sales, operating more than 115 production facilities and service centers throughout the United States and Canada, servicing over 150,000 customers each week.